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A  Pump  for  Rapid,  Reliable,  Secure  Communication 


Myong  H.  Kang  and  Ira  S.  Moskowitz 
Naval  Research  Laboratory 
Information  Technology  Division 
Washington,  D.C.  20375 


Abstract 

Communication  from  a  low-  to  a  high-level  system 
without  acknowledgements  will  be  unreliable;  with 
acknowledgements,  it  can  be  insecure.  We  propose 
to  provide  quantifiable  security,  acceptable  reliability, 
and  minimal  performance  penalties  by  interposing  a 
device  (called  the  Pump)  to  push  messages  to  the  high 
system  and  provide  a  controlled  stream  of  acknowl¬ 
edgements  to  the  low  system. 

This  paper  describes  how  the  Pump  supports  the 
transmission  of  messages  upward  and  limits  the  capac¬ 
ity  of  the  covert  timing  channel  in  the  acknowledge¬ 
ment  stream  without  affecting  the  average  acknowl¬ 
edgement  delay  seen  by  the  low  system  or  the  message 
delivery  delay  seen  by  the  high  system  in  the  absence 
of  actual  Trojan  horses.  By  adding  random  delays  to 
the  acknowledgment  stream,  we  show  how  to  further 
reduce  the  covert  channel  capacity  even  in  the  pres¬ 
ence  of  cooperating  Trojan  horses  in  both  the  high 
and  low  systems.  We  also  discuss  engineering  trade¬ 
offs  relevant  to  practical  use  of  the  Pump. 


1  Introduction 

Currently  many  computer  system  users  who  deal  with 
confidential/sensitive  information  use  systems  that  are 
dedicated  to  a  high  level  of  security,  i.e. ,  system-high 
systems.  All  information  residing  in  the  system  is 
marked  with  the  system  high  level,  even  if  some  of  the 
information  is  in  fact  innocuous.  Sharing  information 
between  different  security  levels  is  quite  cumbersome 
in  this  kind  of  system,  which  impedes  high  speed  data 
transfer.  Multilevel  secure  (MLS)  systems  promise  to 
ease  this  problem. 

Unfortunately,  the  security  constraints  in  MLS  sys¬ 
tems  often  damage  overall  performance.  We  propose 
to  add  non-uniform  random  noise  to  response  time  to 
permit  a  high  degree  of  security,  while  maintaining  ef¬ 
ficient  performance  standards.  This  paper  is  a  first 
step  in  a  research  plan  that  we  will  eventually  imple¬ 
ment  on  an  actual  MLS  system.  We  also  plan  to  make 
further  study  of  our  ideas  through  various  simulations. 
However,  in  this  paper  we  present  the  system  engineer 
with  some  rules  of  thumb  to  get  both  security  and 
performance  requirements  within  certain  guidelines. 

Let  us  consider  a  particular,  either  centralized  or 
distributed,  MLS  system  where  two  processes  (nodes), 
one  high  and  one  low,  are  single-level  processes 
(nodes).  Two  kinds  of  communication  can  exist  be¬ 
tween  these  processes  (nodes): 

•  The  high  process  sends  information  to  the  low 
process  (this  is  sometimes  called  downgrading). 

•  The  low  process  sends  information  to  the  high 
process. 

The  first  type  of  communication  grossly  violates  the 
Bell-LaPadula  constraint  [BeL76]  that  is  used  by  most 
of  the  existing  MLS  systems.  The  second  type  of 
communication  does  violate  Bell-LaPadula  in  a  sub¬ 
tle  manner  if  acknowledgements  of  a  message  being 
passed  are  provided  to  the  low  process.  This,  in  fact, 


119 


results  in  a  covert  channel.  In  this  paper,  we  only 
consider  the  second  type  of  communication,  which  we 
refer  to  as  a  low-to-high  communication.  Most  MLS 
systems  that  are  based  on  the  Bell-LaPadula  model 
accomplish  this  low-to-high  communication  through 
read-down  or  blind  write-up.  However,  there  are  some 
reliability  problems  in  these  methods. 

In  secure  computer  systems,  in  addition  to  secu¬ 
rity,  the  following  characteristics  are  required  in  most 
communication  protocols:  (1)  reliability1,  (2)  reason¬ 
able  performance,  and  (3)  a  reasonable  way  to  collect 
garbage.  Sometimes  the  recoverability2  in  the  case  of 
system  crash  is  a  desirable  feature.  These  are  the  goals 
that  our  method  achieves  in  a  secure  fashion. 

The  rest  of  the  paper  is  organized  as  follows:  In  sec¬ 
tion  2,  we  examine  several  communication  methods 
in  detail  and  discuss  some  problems  inherent  in  them. 
A  quasi-secure  low-to-high  communication  mechanism 
that  can  achieve  all  of  the  above  desirable  properties 
is  introduced  in  section  3.  Section  4  describes  the  rele¬ 
vant  security  features  of  this  mechanism.  The  capacity 
of  the  covert  channel  is  analyzed  in  section  5.  Section 
6  summarizes  this  paper. 


2  Background  and  Motivation 


In  this  section,  we  present  several  methods  of  inter¬ 
process  communication  and  show  the  difficulty  in  si¬ 
multaneously  achieving  the  goals  in  section  1. 


2.1  A  Non-Secure  (Conventional) 
Communication  Protocol 

Communication  protocols  used  in  non-secure  com¬ 
puter  systems  typically  achieve  reliability  and  reason¬ 
able  performance.  They  also  contain  a  reasonable  way 
to  collect  garbage  through  the  following  typical  sce¬ 
nario  that  is  shown  in  figure  1. 


1  The  communication  is  reliable  if  the  source  sends  a  message 
then  it  knows  that  either  the  message  was  delivered  safely  or 
that  it  has  to  retransmit  due  to  errors. 

2  The  communication  is  recoverable  if  the  message  is  delivered 
to  the  destination  even  if  the  system  fails,  i.e.,  the  system  will 
recover  and  continue  to  deliver  from  the  failed  point. 


Message 

Concentrator 


Figure  1:  Message  passing  from  sources  to 
destinations. 

If  the  message  passing  occurs  in  a  distributed  environ¬ 
ment,  then  the  source  and  destination  processes  may 
reside  in  two  different  computers  and  the  message  con¬ 
centrator  itself  may  be  yet  another  computer;  if  the 
message  passing  occurs  in  a  single  computer,  then  the 
operating  system  may  play  the  role  of  the  message 
concentrator  (e.g.,  pipes  in  a  UNIX  system). 

A  typical  message  passing  between  a  source  and  the 
message  concentrator,  and  the  message  concentrator 
and  a  destination,  goes  as  follows: 

1.  Establish  transmission/connection. 

2.  Send  a  message. 

•  If  the  sender  receives  an  ACIv,  then  discard 
the  message  from  the  sender’s  memory. 

•  If  the  sender  either  receives  a  NAK  or  times 
out,  then  retransmit  the  message. 

3.  If  there  are  more  messages  to  send,  then  go  to 
step  (2). 

4.  Signoff/Disconnection. 

If  the  source  sends  messages  faster  than  the  destina¬ 
tion  can  take  (either  due  to  slow  processing  or  failure 
at  the  destination)  then  the  buffer  in  the  message  con¬ 
centrator  may  be  filled.  The  source  then  will  be  un¬ 
able  to  send  any  more  messages  until  the  destination 
empties  some  messages  from  the  message  concentra¬ 
tor.  We  say  that  the  source  has  been  blocked  in  this 
case.  In  a  non-secure  environment,  determining  the 
size  of  buffer  that  keeps  the  message  blocking  prob¬ 
ability  within  specified  design  limits  has  been  widely 
studied  [Sch77]. 

In  a  secure  environment,  if  the  source,  which  resides 
in  a  low  system,  sends  messages  to  the  destination, 
which  resides  in  a  high  system,  then  the  sender  can¬ 
not.  use  the  same  protocol  because  ACK/NAK  arrival 
times  can  be  used  to  send  signals  covertly.  The  capac¬ 
ity  of  this  covert  channel  is  analyzed  in  section  3.2. 
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2.2  Read-Down 


Read-down  allows  the  high  level  user/process  (High) 
to  read  the  low  level  user’s/process’s  (Low)  memory. 
But  it  does  not  allow  High  to  send  signals  after  it  reads 
Low’s  message.  Consider  the  following  implementa¬ 
tion  of  a  mechanism  that  passes  information  from  Low 
to  High  using  only  read-down.  Low  inserts  its  message 
into  a  low  message  buffer.  High  reads  the  message  out 
of  the  buffer.  However,  Low  has  no  indication  that  the 
message  has  been  read.  The  message  sits  unchanged 
in  the  buffer  until  Low  deletes  it  from  the  buffer. 


ACK/NAK  1  message 


Low 


detect  the  situation  and  stop  sending  messages  (oth¬ 
erwise  Low  may  < l<  l<-r«  messages  that  High  has  not 
read  yet). 


2.3  Blind  Write-Up 


Blind  write-up  allows  the  low  level  user/process  to 
write  on  the  high  level  user’s/process’s  memory.  But 
it  does  not  allow  High  to  send  an  ACK/NAK  to  Low. 
We  could  implement  a  blind  write-up  mechanism  as 
follows  in  figure  3. 


High 


ACK/NAK 

message 

Message  Buffer 

l _ , 

blind  write-up 

Low 


Figure  2:  Message  passing  from  Low  to  High  using 
read-down. 


Figure  3:  Message  passing  from  Low  to  High  using 
blind  write-up. 


Assuming  that  no  error  has  occurred  in  the  read-down 
procedure,  there  are  two  typical  ways  to  achieve  this 
communication : 

•  High  keeps  polling  the  low  buffer.  The  disadvan¬ 
tage  of  this  method  is  that  the  polling  can  waste 
resources  (e.g.,  CPU  time). 

•  High  periodically  performs  a  read-down  (e.g.,  ev¬ 
ery  A  time).  In  this  case,  Low  cannot  send  more 
than  one  message  per  A.  Otherwise,  (unless  there 
is  an  infinite  buffer)  Low  may  delete  messages 
which  have  not  been  read  by  High.  If  A  is  too 
small,  then,  like  the  polling  method,  this  method 
will  waste  resources.  If  A  is  too  large,  then  the 
message  rate  will  be  reduced  (i.e. ,  the  message 
rate  of  this  communication  is  less  than  or  equal 
to  i  messages/ unit  time). 

Another  drawback  of  this  method  is  that  the  low  pro¬ 
cess  cannot  detect  if  the  high  process  is  ready  to  re¬ 
ceive  messages  or  not.  For  example,  if  the  high  pro¬ 
cess  crash^l,  there  is  no  way  for  the  low  process  to 


The  low  process  writes  its  message  into  the  high  mes¬ 
sage  buffer  and  the  high  process  reads  messages  from 
the  buffer.  Since  the  low  process  does  not  know  the 
condition  of  the  high  process,  it  has  to  send  a  message 
and  hope  that  the  high  process  receives  it.  Hence,  this 
mechanism  is  unreliable  because  even  if  there  was  an 
error  during  transmission,  there  is  no  way  for  the  low 
process  to  discover  it  and  retransmit  the  message. 

3  A  Quasi-Secure  Low-to-High 
Communication  Channel 

The  communication  mechanisms  presented  in  the  pre¬ 
vious  section  all  have  undesirable  characteristics.  The 
read-down  and  blind  write-up  methods  are  unreliable 
because  there  is  no  way  of  knowing  what  happens 
to  the  message  after  the  source  sent  it.  The  Pump 
that  will  be  introduced  in  this  section  is  a  variation 
of  the  conventional  communication  protocol  that  was 
introduced  in  section  2.1.  We  already  mentioned  that 
the  conventional  communication  protocol  has  a  covert 
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channel.  One  way  to  circumvent  this  timing  chan¬ 
nel  problem  is  to  limit  the  ACK/NAK  sending  rate 
to  meet  the  NCSO  covert  channel  capacity  guidelines 
[Dod]  for  B3/A1  classes.  However,  if  it  is  desirable 
to  send  more  messages  (or  ACK/NAK)  than  what 
the  NCSC  guideline  specified,  and  the  communication 
channel  can  handle  this  traffic,  then  this  limitation 
causes  a  performance  penalty  for  the  communication 
system. 

The  Pump  adds  random  noise  to  conventional  com¬ 
munication  methods  to  reduce  the  covert  channel  ca¬ 
pacity.  There  have  been  other  attempts  to  reduce  tim¬ 
ing  channel  capacity  by  introducing  random  noise  to 
the  system  [CoMo91,  Gra93,  Hu91].  Our  approach  is 
different  from  the  others  in  the  sense  that  ours  pays 
almost  no  performance  penalty  in  the  benign  situation 
( i.e. ,  there  is  no  Trojan  horse  in  the  system).  Our  ap¬ 
proach  reduces  timing  channel  capacity  when  Trojan 
horses  attempt  covert  communication. 


3.1  A  Pump 

This  process  can  be  used  as  a  communication,  chan¬ 
nel  between  any  two  security  levels.  Even  though  the 
Pump  can  reside  in  either  source  or  destination,  in 
this  paper  we  assume  that  the  Pump  resides  in  the 
security  level  of  the  destination.  This  Pump  needs 
to  be  trusted  in  the  sense  that  the  system  designer 
has  an  assurance  that  the  Pump  will  do  only  what  it 
is  supposed  to  do  (i.e.,  the  Pump  sends  to  Low  only 
ACK/NAK  and  does  not  repeat  High’s  message).  In 
a  sense,  the  Pump  is  blocking  any  message  flow  from 
the  destination  process  to  the  source  process. 

In  our  model  of  communication  between  high  (des¬ 
tination)  and  low  (source)  processes,  the  location  (i.e., 
either  in  the  same  computer  or  in  two  separate  com¬ 
puters)  of  these  two  processes  is  not  important. 

The  Pump  has  3  basic  components  which  work  in 
conjunction  with  the  (Pump  independent)  low  and 
high  processes  to  allow  data  to  be  passed  from  Low 
to  High.  In  actuality,  there  is  a  subtle  violation  of 
Bell-LaPadula  which  allows  a  covert  channel  to  exist. 
We  will  examine  this  later  in  the  paper. 

The  components  are  the  the  trusted  low  buffer 
(TLB),  the  trusted  high  buffer  (THB),  and  a  com¬ 
munication  buffer  (CB).  The  Pump  works  as  follows: 


The  Pump 


Figure  4:  Message  passing  from  Low  to  High  using 
the  Pump. 

Low  process:  (Exterior  to  the  Pump ) 

Low  sends  a  message  to  the  TLB  and  waits  for  an 
ACIv  from  the  TLB.  Once  an  ACIv  arrives,  then 
the  message  is  removed  from  the  low  process  (i.e., 
do  the  garbage  collection)  and  a  new  message  is 
sent  (i.e.,  if  the  low  process  receives  NAIv  or  no 
response  (i.e.,  time-out)  then  it  will  retransmit 
the  same  message).  Note  that  Low  may  prepare 
a  new  message  while  Low  waits  for  an  ACK/NAK. 

Trusted  low  buffer: 

When  a  message  arrives  from  the  low  process,  the 
TLB  inserts  the  message  in  the  CB  and  then  sends 
an  ACIv  to  the  low  process  if  the  insertion  is  suc¬ 
cessful  (i.e.,  there  is  space  in  the  CB).  Since  the 
Pump  is  configured  as  a  high  process,  this  sending 
ACIv  violates  the  Bell-LaPadula  constraints  and 
a  Trojan  horse  can  exploit  this  procedure. 

High  process:  (Exterior  to  the  Pump ) 

When  High  receives  a  message  from  the  THB,  it 
stores  the  message  and  then  sends  an  ACK/NAK 
to  the  THB. 

Trusted  high  buffer: 

This  process  sends  a  message  to  the  high  process 
if  there  is  a  message  in  the  CB.  Once  an  ACIv 
arrives  from  the  high  process,  the  message  is  re¬ 
moved  from  the  CB.  If  the  THB  receives  NAIv  or 
no  response  (i.e*,  time-out)  then  it  will  retransmit 
the  same  message.  Since  the  Pump  is  configured 
as  a  high  process,  this  does  not  violate  the  Bell- 
LaPadula  constraints. 
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Communication  Buffer: 

This  is  a  regular  FIFO  buffer  whose  length  is  n. 
This  buffer  is  shared  between  the  TLB  and  the 
THB.  It  is  also  possible  for  the  the  TLB  and  the 
THB  to  learn  certain  statistical  information  from 
the  CB  (e.g.,  the  average  response  time  of  the 
high  process). 

It  is  easy  to  see  that  any  process  that  communicates 
with  the  Pump  can  collect  garbage  because  this  pro¬ 
cess  receives  ACK.  Also,  any  communication  with  the 
Pump  is  reliable  due  to  ACK/NAK  being  sent.  If  the 
sender  receives  either  NAK  or  is  timed  out,  then  it 
will  retransmit  the  same  message.  In  the  following, 
we  show  other  desirable  features  of  the  Pump. 

This  communication  method  is  also  recoverable  if 
we  implement  the  CB  in  non-volatile  storage  and  each 
message  has  an  associated  message  number.  We  con¬ 
sider  the  following  four  cases: 

case  1:  The  system  crashes  after  Low  sends  a  mes¬ 
sage  to  the  Pump  but  before  the  Pump  receives 
it.  Since  Low  never  receives  an  ACK,  it  will  re¬ 
send  the  message  as  the  system  recovers. 

case  2:  The  system  crashes  after  the  Pump  receives 
a  message  but  before  Low  receives  an  ACK.  Since 
Low  never  receives  an  ACK,  it  will  resend  the 
message  as  the  system  recovers.  However,  the 
Pump  will  notice  that  the  message  has  already 
been  received  because  of  the  message  number. 
Hence,  it  will  just  send  an  ACK. 

case  3:  The  system  crashes  after  the  Pump  sends  a 
message  but  before  High  receives  it.  This  is  simi¬ 
lar  to  case  1. 

case  4:  The  system  crashes  after  High  receives  a  mes¬ 
sage  but  before  the  Pump  receives  an  ACK.  This 
is  similar  to  case  2. 

Note  that  there  may  be  many  destination  processes 
and  many  source  processes  that  use  the  same  Pump. 
However,  in  this  paper,  we  just  consider  the  case  of  one 
source  process  and  one  destination  process  which  will 
have  the  worst  case  covert  channel  capacity.  We  have 
been  denoting  these  two  processes  of  interest  as  simply 
High  and  Low.  Further,  when  we  perform  channel 
capacity  analysis  we  assume  that  there  are  no  NAK’s. 
This  makes  the  analysis  easier  but  does  not  affect  the 
capacity  bounds. 

The  time  from  when  Low  sends  its  i-th  message  to 
the  TLB  until  it  receives  an  ACK  back  from  the  TLB 


is  given  by  Li.  If  the  CB  has  space  on  it  when  the 
TLB  receives  the  i-th  message  from  Low  then  Li  is 
deterministic  and  simply  equal  to  the  fixed  communi¬ 
cation  overhead  time  O;.  If  the  CB  is  full  then  the 
response  time  Li  is  probabilistic  and  is  given  by  the 
random  variable  S  added  onto  the  overhead  O;.  S  is 
the  amount  of  time  that  the  TLB  has  to  wait,  when 
the  CB  is  full,  for  High  to  remove  a  message  (by  send¬ 
ing  an  ACK  to  the  THB)  so  that  the  TLB  can  insert 
its  i-th  message  into  the  CB.  Note  that  it  is  possible 
for  the  TLB  to  attempt  to  insert  a  message  into  the 
full  CB  after  the  THB  has  sent  a  message  to  High  and 
while  the  THB  is  still  waiting  for  an  ACK  back  from 
High.  Therefore,  the  S  values  are  less  than  or  equal 
to  the  amount  of  time  that  the  THB  waits  (the  High 
ACK  time).  The  distribution  for  S  can  be  discrete, 
continuous,  or  mixed.  Without  loss  of  generality,  we 
assume  in  this  paper  that  it  is  discrete.  Note,  it  is  the 
ability  of  a  Trojan  horse  to  affect  S  that  gives  rise  to 
a  covert  timing  channel.  In  summary, 

Oj ,  if  CB0, 

0,  +  S,  if  CB/. 

where  CB0  represents  the  event  that  the  CB  has 
space  on  it,  whereas  CB/  represents  the  event  that 
the  CB  is  full.  By  using  conditional  probability  we 
can  summarize  the  above  by  expressing  the  behav¬ 
ior  of  Li,  when  the  CB  has  space  for  a  message,  by 
P(Li  <  t  |  CB0)  =  P(0\  <  t),  which  is  1  for  t  >  Op 
(i.e.  this  is  just  a  univalued  discrete  random  variable), 
and  the  behavior  of  Li,  when  the  CB  is  full,  is  given  by 
P(Li  <  t  |  CBf)  =  P(S  +  0;  <  t).  Admittedly,  this 
is  a  rather  cumbersome  way  of  looking  at  such  simple 
discrete  random  variables  (one  would  normally  look 
at  mass  functions  instead  of  distribution  functions). 
However,  in  section  4,  when  we  adjust  the  distribu¬ 
tion  Li,  it  is  advantageous  to  view  probabilities  in  this 
continuous  manner. 

3.2  Covert  Timing  Channels 

A  Trojan  horse  can  exploit  the  present  situation  and 
create  a  covert  timing  channel.  The  Trojan  horse  con¬ 
trols  when  Low  (via  the  low  Trojan  horse)  sends  a 
message  and  controls  when  High  (via  the  high  Trojan 
horse)  sends  an  ACK  back  to  the  THB. 

•  The  low  Trojan  horse  fills  the  CB;  this  is  done 
by  having  the  high  Trojan  horse  not  remove  mes¬ 
sages  from  the  CB.  Now  that  the  CB  is  full,  there 
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is  a  noiseless  covert  timing  channel  that  exists  be¬ 
tween  Low  and  High.  Furthermore,  this  channel 
exists  as  long  as  the  CB  is  full. 

•  Now  Low  sends  a  message  to  the  TLB.  The  TLB 
cannot  send  an  ACK  back  to  Low  until  a  spot 
opens  up  on  the  CB.  This  is  totally  in  the  control 
of  High.  We  assume  that  e  x,  0/  is  the  smallest 
amount  of  time  that  High  can  remove  a  message 
from  the  Pump  and  for  Low  to  get  an  ACK  after 
it  has  sent  a  message  to  the  TLB.  Since  the  high 
Trojan  horse  knows  the  size  of  the  CB  (i.e.,  n) 
and  how  fast  the  low  Trojan  horse  can  send  a 
message,  High  knows  that  Low  has  filled  the  CB 
and  has  just  sent  a  new  message  to  the  TLB.  If 
Low  gets  an  ACK  at  time  e,  Low  interprets  the 
signal  as  a  zero.  We  further  assume  that  2e  is 
the  next  amount  of  time  that  High  can  remove  an 
item  from  the  CB  and  for  Low  to  get  an  ACK. 
Therefore  if  the  ACK  to  Low  is  at  2e  then  Low 
will  interpret  the  symbol  being  passed  by  High  as 
a  one.  Since  every  time  Low  receives  an  ACK, 
the  CB  is  full  again,  and  Low  can  then  attempt 
to  insert  its  new  message  and  High  can  send  the 
binary  symbols  again.  There  is  no  noise  in  this 
channel. 

We  are  looking  at  a  worst  case  scenario  with  this 
example.  High  will  try  to  send  symbols  as  quickly 
as  possible,  hence  the  time  values  of  e  and  2e.  The 
time  units  of  our  system  are  such  that  e  is  an  integer, 

i.e.,  e  is  an  integer  number  of  system  clock  ticks.  The 
channel  capacity  of  this  channel  is  given  by 


symbols  increase  from  2  to  oo,  it  can  be  shown  that  the 
positive  root  monotonically  increases  from  ( 1+2v^j1/i: 
to  2 1!c,  hence  the  capacity  monotonically  increases 
from  e~x  log(  1+2V^ )  to  e-1.  (The  mathematical  de¬ 
tails  to  the  above  can  be  found  in  [Mo93].)  Hence,  by 
increasing  the  number  of  symbols  from  2  to  an  infi¬ 
nite  amount  we  can  achieve  an  almost  50%  increase  in 
channel  capacity.  Of  course,  in  practical  usage,  there 
is  a  limit  to  how  long  High  will  delay  a  response  to 
Low,  so  the  capacity  of  e-1  can  be  interpreted  as  a 
worst  case  upper  limit.  It  is  this  capacity  that  we 
shall  attempt  to  “beat”  by  the  other  means  that  we 
will  discuss  in  the  rest  of  the  paper.  We  summarize 
this  by  (since  Oj  x  e) 

Worst  Case  Capacity  Bound  =  —  bits  per  clock  tick. 

(!) 

Note  that  at  present  we  have  not  added  any  security 
techniques  to  the  Pump.  When  we  do  add  these  tech¬ 
niques  we  will  see  that  we  can  substantially  lower  the 
channel  capacity. 

3.3  Performance/Security  Goals 

There  are  three  cases  that  can  limit  the  performance 
of  this  communication  channel: 

1.  Low  is  the  bottleneck.  For  example,  the  message 
sending  rate  of  Low  is  slower  than  the  rate  that 
the  Pump  and  High  pass  and  receive  messages.  If 
this  happens,  the  CB  in  the  Pump  can  never  be 
full.  Consequently,  no  covert  channel  can  exist. 


C  =  lim  sup 

k— >OQ 


log  N(k) 
k 


bits  per  clock  tick 


Where  the  logarithms  are  base  two  and  N (k)  is  the 
number  of  distinct  sequences  of  zeroes  and  ones  that 
High  can  send  that  take  a  total  of  time  k.  It  can  be 
shown  [Sh48,  MiMo93,  Mo93]  that  C  =  logw,  where  u> 
is  the  positive  root  of  x2c  —  xc  —  1  =  0.  The  polynomial 
arises  from  the  recurrence  relation  N (k)  =  N (k  —  e)  + 
N (k  —  2e).  By  changing  variables  and  letting  y  =  x£ 
we  see  that  uic  is  the  positive  root  of  y2  —  y  —  1  =  0. 
Therefore,  w  =  (± ±^)1/e,  so  C  =  e”1  log  . 

In  fact,  there  is  nothing  to  limit  the  communica¬ 
tion  channel  to  just  two  symbols.  High  could  send 
the  symbols  {&i,  &2,  •  •  • ,  bz}  by  having  the  symbol  6; 
correspond  to  a  response  time  of  ie.  In  this  case, 
the  capacity  is  logw  where  u>  is  the  positive  root  of 
xze  —  —  ■  ■  ■  —  x  —  1.  As  the  number  of  distinct 


2.  The  Pump  is  the  bottleneck.  For  example,  the 
message  passing  rate  of  the  Pump  is  slower  than 
the  rate  at  which  Low  and  High  send  and  receive 
messages.  If  this  happens,  the  CB  in  the  Pump 
can  be  full.  However,  the  time  that  Low  receives 
ACKs  does  not  reflect  the  response  time  of  High 
because  the  ACK  time  from  High  is  always  faster 
than  the  ACK  time  to  Low.  Hence,  no  covert 
channel  exists. 

3.  High  can  be  the  bottleneck.  For  example,  the 
message  receiving  rate  of  High  can  be  lower  than 
the  rate  at  which  Low  and  the  Pump  can  send 
and  pass  messages.  If  this  happens,  assuming  that 
High  and  Low  are  Trojan  horses,  a  covert  timing 
channel  can  exist. 

The  use  of  better  software  or  hardware  may  solve  the 
first  or  the  second  case,  but  this  is  the  beyond  the 
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scope  of  this  paper.  This  paper  focuses  on  the  third 
case,  where  a  covert  timing  channel  can  exist.  Hence, 
the  rest  of  this  paper  assumes  that  High  is  the  bottle¬ 
neck  of  this  communication  channel  and  Low  and  the 
Pump  can  send  and  pass  messages  much  faster  than 
High  accepts  them. 

We  wish  to  have  a  performance/security  require¬ 
ment  that  involves  three  goals.  The  first  two  attempt 
to  mitigate  the  capacity  of  a  timing  channel,  as  de¬ 
scribed  above,  and  the  third  goal  attempts  to  make 
efficient  use  of  system  resources. 

1.  Prevent  the  CB  from  becoming/staying  full. 

2.  Minimize  the  influence  of  High’s  actions  on  Li. 

3.  Minimize  system  resources  waiting  in  an  idle 
state.  For  example,  we  would  like  to  avoid  the 
situation  such  as  the  Pump  not  sending  an  ACK, 
even  though  there  is  a  space  in  the  CB  and  Low 
is  ready  to  send  next  message,  in  order  to  prevent 
a  covert  channel. 

Often,  in  the  security  community,  we  are  faced  with 
making  a  trade-off  between  security  and  performance. 
We  propose  a  method  that  approximately  achieves  all 
the  above  goals.  We  will  do  this  by  modifying  the 
distribution  Li,  but  first  let  us  formalize  our  perfor¬ 
mance/security  requirement  as  follows. 

Let  Li  denote  the  mean  (expectation)  of  the  random 
variable  Li.  When  Low  submits  its  i-th  message  to  the 
TLB  ,  we  consider  the  last  m  messages  that  High  has 
ACK’ed.  We  take  the  average  of  these  m  ACK  times 
and  denote  it  by  Hmi.  The  term  Hmi  is  a  moving  av¬ 
erage  and  the  window  size  m  should  be  chosen  large 
enough  to  be  somewhat  insensitive  to  individual  fluc¬ 
tuations  of  High  but  yet  still  able  to  reflect  the  current 
system  workload. 

We  state  our  performance/security  requirement  as 
follows 

Li  «  Hmi  .  (2) 

If  we  can  get  our  system  to  obey  Eq.  (2)  then  we 
see  that  the  CB  is  used  in  an  efficient  manner  and  any 
attempts  of  a  Trojan  horse  speeding  up  Low  and  slow¬ 
ing  down  High,  in  order  for  the  CB  to  become/stay 
full  are  mitigated  by  the  approximate  equality  of  the 
two  “averages”  in  Eq.  (2).  (Note  that  Li  is  an  actual 
mean,  whereas  Hmi  is  a  numerical  moving  average.) 
More  precisely,  let  us  look  at  the  two  cases  where  Eq. 
(2)  is  not  met. 


Case  1 :  Li  >  Hmi 

Since  we  assume  that  Low  and  the  Pump  can  handle 
messages  faster  than  High,  the  above  condition  im¬ 
plies  that  the  Pump  intentionally  delays  the  ACK  for 
message  i,  possibly  to  prevent  covert  channels.  If  this 
holds  then,  on  the  average,  High  is  removing  messages 
from  the  CB  faster  than  Low  puts  them  into  the  CB. 
This  will  result  in  High  waiting  for  messages  and  Low 
waiting  for  an  ACK  to  send  the  next  message.  In  this 
case,  there  will  be  no  covert  channel.  However  we  are 
wasting  resources  in  the  sense  that  the  Pump  is  not 
fully  utilized,  and  High  and  Low  wait  for  either  mes¬ 
sages  or  ACKs. 

Case  2:  Li  <  Hmi 

If  this  holds  then,  on  the  average,  Low  is  sending  mes¬ 
sages  to  the  buffer  faster  than  High  removes  them. 
Unless  the  CB  size  is  infinite,  this  will  result  in  the 
CB  becoming  full.  Once  the  CB  is  full  then  Li  be¬ 
comes  the  same  as  High’s  response  time.  Also,  if  the 
CB  becomes  full,  then  a  covert  timing  channel  can  be 
exploited  as  discussed  previously. 

Therefore,  the  only  option  left  to  us  that  both  de¬ 
creases  exploitation  of  a  covert  timing  channel  and  at 
the  same  time  does  not  waste  resources  is  Eq.  (2). 
Note  that  we  are  allowing  a  slight  “fudge”  factor  in 
our  performance  requirement  due  to  practicality,  and 
we  use  an  approximate  equality.  The  degree  of  “fudge” 
will  be  determined  in  practice. 

Note  that  the  system  which  obeys  Eq.  (2)  pays 
almost  no  performance  penalty  in  the  benign  situa¬ 
tion.  However,  once  Trojan  horses  decide  to  slow  down 
High’s  response,  to  send  signals  to  Low,  then  Hmi 
will  be  increased  and  the  capacity  of  the  covert  timing 
channel  will  be  decreased.  A  system  that  comes  close 
to  meeting  Eq.  (2)  assures  one  that  the  system  is  not 
a  secure  brick  or  a  leaky  vault. 


4  Noisy  Channels 

The  system  which  has  a  covert  timing  channel  can  non- 
theless  be  utilized  if  we  understand  the  nature  of  the 
channel  and  make  the  channel  noisy  enough  so  that  the 
channel  capacity  is  less  than  a  certain  threshold.  In 
this  section,  we  introduce  random  noise  to  the  Pump 
by  modifying  the  TLB’s  response  time  to  Low  and  an¬ 
alyze  the  covert  channel  capacities.  The  modification 
of  the  TLB’s  response  time  will  be  done  by  adding  a 
probabilistic  effect  to  Li.  Now,  the  ACK  time  to  Low 
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is  given  by 

ACK  time  =  Old  Li  +  A 

where  A  is  a  random  variable  with  mean  A.  For  the 
rest  of  this  paper,  we  will  denote  this  modified  ACK 
time  by  Li.  In  the  benign  case  that  we  described  in 
section  3.1,  A(7)  =  0.  A  must  be  chosen  to  increase 
security  without  killing  performance.  By  conditioning 
on  whether  or  not  the  CB  is  full  we  obtain 

P(Li  <t)  =  P(Li  <  t  |  CB0)P(CB0)  + 

P(Lt  <  t  |  CB/)P(CB/) 

(3) 

By  setting  P(CB/)  =  p  and  noting  that  we  have 
P(L{  <  t  |  CB/)  = 

J2kP(Li  <  1  I  CB/,  S  =  sk)P(S  =  sk  I  CB/),  since 
the  events  {S  =  sk}  are  disjoint,  we  see  that  Eq.  (3) 
simplifies  to 

P(Li  <  t)  =  P(Li  <  t  |  CB0)  (1  -  p)  + 

P(Li  <  t  |  CB/,  5  =  sk)P(S  =  sk  |  CB/)  p 
k  (4) 

Since,  by  definition  S  is  only  dehned  when  the  CB  is 
full,  Eq.  (4)  reduces  to 

P(Li  <t)  =  {  1  -  ii)P(Li  <  t  |  CB0)  + 

/i^2  P(Li  <  t  |  S  =  -sk)pk 

k  (5) 

However,  P(L{  <  t  |  CB0)  is  just  P(Oj  +  A  <  t)  = 
P(A  <t  -  Oi)  and  P(L{  <  t  \  S  =  sk)  =  P(-sk  +  O;  + 

A  <t)  =  P(A  <t  —  sk  —  0{). 

By  taking  the  derivative  of  both  sides  of  Eq.  (5) 
and  denoting  the  density  function  of  Li  by  /l,(I)  we 
arrive3  at 

/l,(I)  =  (1  -  L)fA(t  ~  Oi)  +n^2pkfA(t  ~  -Sk  ~  Oi) 

k 

The  mean  wait  for  Low  is 

U  = 

J  t  ^(1  -  L)fA{t  ~  Oi)  +  p^2pkfA(t  ~  Sk  ~  O;)^  dtt 

_  (6) 

3In  general,  if  c  is  a  constant,  we  have  that  P(c  +  A  <  t)  = 

r*  t _ £ 

/' (  1  <  t  —  c)  =  J  dA,  where  dA  is  the  measure  associated 

with  the  random  variable  A.  Note  that  P(c  +  A  <  / )  =  j  i(  /  — 
c),  if  dA  =  / ji[r)dr .  (We  assume  that  the  density  function 
} a{t)  °f  A  always  exists.) 


We  denote  the  mean  of  S,  which  is  ^2kPkSk ,  by  s. 
By  simplifying  Eq.  (6)  we  obtain4 

Li  =  (1  —  aQP  +  Oi)  +  P  Pk(A  +  sk  +  Oj) 

k 

=  (1  ~  +  Oi)  +  P-A  +  p  Pkjsk  +  Oi) 

k 

=  (1  —  p)(A  +  Oi)  +  /i(A  +  s  +  Oi) 
and  finally 

Li  =  A  +  Oi  +  ps  (7) 

Eq.  (7)  intuitively  makes  sense.  If  the  CB  is  never 
full  (p  =  0)  then  Li  =  A  +  Oi.  If  the  CB  is  always  full 
(p  =  1)  then  L{  =  A  +  s  +  0\. 

We  wish  to  choose  A  so  that  Eq.  (2)  is  satisfied. 
This  forces  upon  us  the  condition  that 

-i  =  Hmi  -  Oi  -  ps  (8) 

Note  that  some  fixed  overhead,  Oh,  is  already  included 
in  Hmi.  If  for  some  reason  A  <  0,  we  instead  default 
A  to  a  small  value. 

In  the  following  sections,  a  specific  random  variable 
A  will  be  chosen.  Based  on  this  A,  the  covert  channel 
capacity  of  the  Pump  will  be  analyzed. 

4.1  Choice  of  a  Random  Variable 

We  see,  from  the  above  discussion,  that  is  it  possible 
to  add  noise,  via  the  random  variable  A,  to  Li  so  that 
the  performance/security  requirement  is  met.  We  will 
now  discuss  an  explicit  choice  of  A  and  see  how  it 
affects  the  ability  of  High  to  communicate  covertly, 
over  a  timing  channel,  to  Low.  The  density  function 
of  the  random  variable  that  will  be  chosen  should  have 
the  following  two  properties: 

1.  The  mean  of  this  random  variable  should  be  con¬ 
trollable.  The  density  function  should  be  sensitive 
to  system  feedback,  in  order  to  meet  the  perfor¬ 
mance/security  requirement. 

2.  There  should  be  no  upper  bound.  If  the  sup¬ 
port  of  the  density  function  has  an  upper  bound, 
then  the  upper  bound  can  be  exploited  by  Trojan 
horses.  For  example,  if  the  uniform  distribution  is 
chosen,  then  A  will  be  uniformly  distributed  be¬ 
tween  Oi  and  2 A  +  O;.  Hence,  if  the  high  Trojan 
horse  decides  to  send  a  signal  by  sending  an  ACK 
after  2A  +  0;,  then  the  signal  is  delivered  without 
any  noise. 

4f2x  t-fA(t  -  °)dt  =  f-, L(u  +  c)fA(u)du  =  a  +  c 
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Even  though  there  are  many  random  variables  that 
satisfy  the  above  properties  we  have  chosen  the  expo¬ 
nential  distribution  because  the  capacity  of  the  covert 
channel  is  relatively  easy  to  analyze  (due  to  the  rela¬ 
tively  simple  density  function).  In  fact,  the  exponen¬ 
tial  distribution  has  been  well  studied  in  other  security 
work  [Mo91,  MoMi92a,  MoMi92b]  and  is  the  basis  of 
much  work  in  queuing  theory.  The  following  is  an  ac¬ 
tual  implementation  of  the  exponential  distribution  in 
the  Pump. 


(defining)  memoryless  property  of  the  exponential  dis¬ 
tribution. 

Note  that  the  mean  of  A  is  1/A  which  we  set,  from 
Eq.  (8),  equal  to  Hmi  —  Oj  —  fis.  Of  course  in  practice 
we  would  eventually  have  to  bound  the  tail  on  the 
exponential  distribution  but  this  bound  need  not  be 
a  function  of  its  mean,  as  it  must  be  for  the  uniform 
distribution.  So  there  is  eventually  a  time  out,  perhaps 
quite  large,  such  that  Low  finally  does  receive  an  ACK. 
This  prevents  the  existence  of  a  (theoretically  possible) 
dangling  message. 


5  A  Noisy  Scheme 

First,  we  would  like  to  consider  a  scheme  that  pays 
very  little  performance  penalty.  (By  this  we  mean  de¬ 
viation  from  Eq.  (2),  erring  on  the  side  of  system 
performance  more  than  that  of  security). 

To  make  this  channel  noisy,  we  consider  the  follow¬ 
ing  scheme: 

•  The  CB  of  the  Pump  computes  Hmi  as  a  moving 
average  for  the  last  m  values  of  High’s  ACK  time 
to  the  THB. 


•  The  distribution  for  A  is  given  by  the  exponential 
random  variable  with  density  function 


m 


Ae  At,  if  t  >  0, 

0,  otherwise. 


This  means  that  when  the  CB  has  space  on  it,  Li 
has  a  conditional  density  function  given  by 


m  = 


Xe-x  (t-O,), 
0, 


and  when  the  CB  is  full  and 
tional  density  is 


if  t  >  Oh 

otherwise. 

S  =  sj;,  the  condi- 


m  = 


Xe-Mt-(sk+o, )),  i{t>Sk+0h 
0,  otherwise. 


These  above  conditional  densities  are  obtained  by  tak¬ 
ing  the  convolution  of  the  exponential  density  with  a 
density  function  of  the  from  6(t  —  a),  a  a  constant  (see 
footnote  3).  We  refer  to  any  random  variable  that  has 
a  density  function  of  the  form  Ae-A(-t-"/f  >  a  as  a 
modified  exponential  distribution  with  shift  a.  The  in¬ 
tuition  behind  the  modified  exponential  distribution  is 
that  it  decays  just  like  the  exponential  density;  how¬ 
ever,  the  decay  starts  at  a  instead  of  0.  Of  course 
a  modified  exponential  distribution  no  longer  has  the 


5.1  Analysis  of  Timing  Channel  Ca¬ 
pacity 

We  see  that  our  system  satisfies  the  perfor¬ 
mance/security  requirement.  However  it  does  much 
more.  Our  system  is  controllable  due  to  the  feedback 
to  Li,  via  the  ability  to  change  A,  due  to  the  changes 
in  Hmi.  Assume,  for  example,  that  High  wishes  to 
covertly  signal  Low.  There  are  two  methods;  one  is 
the  noiseless  channel  approach  as  described  in  section 

3.2  and  the  other  is  the  noisy  channel  approach.  Let 
us  try  to  get  some  quantitative  bounds  on  the  capac¬ 
ity  for  both  methods.  We  assume  in  this  analysis  that 
m  n.  In  future  work,  we  hope  to  remove  this  restric¬ 
tion  and  see  if  even  further  capacity  reductions  can  be 
obtained. 

As  before  High  will  attempt  to  signal  Low  by  affect¬ 
ing  the  values  of  Li.  Say  High  tries  the  strategy  that 
we  discussed  earlier  of  letting  the  CB  get  full  and  then 
removing  messages  within  time  e  or  2e.  Two  factors 
make  this  an  unfeasible  Trojan  horse  strategy.  The 
first  is  that  High  cannot  get  the  CB  full  and  keep 
it  full  without  a  severe  time  penalty  being  enacted 
upon  Li.  This  is  because  for  the  CB  to  become  full, 
High  must  be  removing  messages  at  a  slower  rate  than 
Low  is  getting  ACKs  back  from  the  TLB.  But  after  a 
certain  number  of  messages  the  slow  rate  of  High  is 
manifested  by  forcing  Li  to  also  slow  down  due  to  the 
moving  average  construction  of  A.  There  are  three  ba¬ 
sic  problems  with  this  approach.  One  is  the  noise  that 
is  involved  when  High  tries  to  send  a  symbol  to  Low. 
The  second  is  the  time  involved  in  sending  the  sym¬ 
bol  due  to  large  delays  by  High  necessitated  by  High 
trying  to  send  a  symbol  with  as  little  noise  as  possi¬ 
ble.  The  third  is  synchronization  problems  between 
High  and  Low.  By  this  we  mean  the  ability  of  Low  to 
differentiate,  via  Li  values  or  the  number  of  messages 
ACK’ed,  between  when  High  is  getting  ready  to  send 
a  message  (i.e. ,  letting  the  CB  get  full)  and  when  Li  is 
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the  actual  symbol  being  passed  by  High.  Let  us  con¬ 
sider  three  possible  exploitations  below. 

Exploitation  strategy  1: 

High  acts  quickly  (ACK  time  =  e)  m  times.  This 
has  the  effect  of  lowering  the  moving  average  and  thus 
speeding  up  the  Li  values.  Now  High  does  not  send 
an  ACK  for  t  =  me  in  the  hopes  of  Low  Riling  the  CB. 
When  Low  finally  does  receive  this  delayed  Li  value 
it  is  interpreted  as  a  synchronization  signal  from  High 
to  Low  —  This  means  that  the  next  Li  value  is  to  be 
interpreted  as  a  symbol  being  sent  by  High.  The  next 
High  ACK  time,  via  the  S  value  chosen  by  High,  is 
chosen  so  as  to  send  a  symbol  to  Low.  However,  due  to 
the  probabilistic  nature  of  Li  and  the  fact  that  the  CB 
may  not  even  be  full,  this  symbol  is  quite  ambiguous. 
Note  that  now  Li  is  large  because  of  the  previous  High 
delay  of  t  =  me. 

High  wishes  for  the  CB  to  become  full  again  so  that 
it  can  again  send  a  symbol  with  as  little  noise  as  pos¬ 
sible,  so  High  repeats  the  above  process  of  lowering  Li 
by  acting  quickly  and  then  delaying  and  finally  send¬ 
ing  a  symbol.  We  see  that  if  a  symbol  is  sent  noise¬ 
lessly  it  would  take  at  least  t  =  (2m  +  l)e.  Therefore 

C  <  (2m  +  l)e  ' 

Exploitation  strategy  2: 

Instead  of  High  repeating  the  process  of  —  filling  the 
CB,  delaying,  and  filling  the  CB  again  —  after  High 
sends  the  first  symbol,  it  continues  to  send  symbols. 
However,  if  High  ACKs  a  message  quickly  to  try  to 
send  Low  small  S  values  it  will,  in  fact,  end  up  only 
emptying  out  the  CB  and  thus  will  not  be  able  to 
send  Low  different  S  values.  This  is  because  the  Li 
values  are,  at  this  point,  very  large  due  to  the  effect 
of  the  previous  large  delay  by  High.  Therefore,  High 
must  wait  at  least  t  =  me  and  then  the  additional  sj, 
times  to  attempt  to  send  Low  a  symbol  that  is  not  too 
noisy.  However,  High’s  waiting  this  long  to  send  an 
ACK  has  the  side  effect  of  keeping  the  moving  aver¬ 
age  large.  Therefore,  all  High  is  doing  is  sending  noisy 
symbols  in  a  very  slow  manner.  Therefore,  a  worst 
case  analysis  would  still  have  C  <  l/me. 

Exploitation  strategy  3: 

High  could  attempt  to  send  information  to  Low  by 
simply  affecting  the  moving  average  and  having  Low 
interpret  its  response  times  without  High  trying  to 
make  the  CB  full.  A  full  analysis  of  this  scenario  is 
quite  complicated  and  involves  channels  with  contin¬ 
uous  outputs  (waveform  analysis)  which,  up  to  now, 


have  not  been  studied  by  the  security  community.  Also 
there  are  severe  practical  coding  issues  when  one  quan¬ 
tizes  the  output  space  into  many  symbols.  So  even 
though  a  true  capacity  upper  bound  could  be  obtained, 
it  would  be  impossible  to  build  the  proper  code.  So 
from  a  practical  standpoint  one  could  study  the  capac¬ 
ity  just  through  finite  decoding  schemes  (this  is  not  to 
say  that  one  should  not  see  how  the  capacities  differ). 
We  can  make  some  qualitative  statements  about  the 
channel  capacity  based  on  present  techniques.  Low’s 
ACK  time  is  a  modified  exponential  distribution  with 
shift  Oj .  All  High  can  do  is  to  alter  the  mean,  1/A  +  O;. 
Let  us  look  at  a  simplifying  example  where  High  tries 
to  send  a  symbol  to  Low  by  varying  A  between  two 
values.  Low  receives  a  response  and  wants  to  de¬ 
cide  whether  it  came  from  a  modified  exponential  dis¬ 
tribution  with  mean  1/Ai  +  0/  or  whether  it  came 
from  a  modified  exponential  distribution  with  mean 
1  / A 2  +  0;.  If  Ai  A2  then  it  is  hard  to  make  this 
decision  and  the  symbol  is  very  noisy.  To  make  the 
symbol  less  noisy  would  require  High  to  enlarge  the 
difference  between  Ai  and  A2;  this,  however,  would 
also  increase  the  time  that  Low  receives  the  symbol 
and  in  fact  increase  the  time  that  Low  receives  future 
symbols  due  to  the  moving  average  construction  of  A. 
Therefore  we  decrease  the  noise  with  which  symbols 
are  sent  only  by  penalizing  the  time  cost  with  which 
they  are  sent.  Between  the  fidelity  criterion  of  the 
symbols  forcing  a  large  difference  between  the  A  val¬ 
ues  and  the  fact  that  the  moving  average  moderates 
any  change  of  High  by  a  factor  of  1/m,  we  feel  that 
C  <  l/me  is  still  a  valid  worst  case  bound. 

In  fact  one  could  use  a  combination  of  the  above 
exploitation  strategies.  However,  we  do  not  see  any 
order  of  magnitude  improvement  by  doing  this. 

We  see  that  the  size  of  the  CB,  n,  is  very  important 
to  the  security  of  the  channel.  In  the  future,  through 
both  analytic  techniques  and  simulations,  we  hope  to 
obtain  rules  of  thumb  that  a  system  designer  could 
use  to  lower  the  capacity  to  within  specified  bounds. 
As  in  section  3.2,  since  Oj  ps  e,  and  m  x,  n,  being 
conservative  we  may  state 

Worst  Case  Capacity  Bound  with  Noise  added  to  the  Pump 
_  1 
nOi 

(9) 

Thus  far,  the  mean  of  the  exponential  distribution 
was  a  function  of  Hmi.  However,  if  one  wishes  to  re¬ 
duce  the  channel  capacity  further,  A  can  be  chosen  not 
only  as  a  function  of  Hmi  but  also  as  a  function  of  the 
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current  state  of  the  CB.  For  example,  if  the  CB  is  80% 
full  then  A  may  be  a  function  of  2 Hmi,  if  the  CB  is 
90%  full  then  A  may  be  a  function  of  3 Hmi,  and  so 
on.  This  will  have  the  effect  of  slowing  down  Li  when 
High  tries  to  send  covert  signals  with  very  little  noise. 

6  Summary 

In  this  paper,  we  introduced  the  Pump.  It  is  a  generic 
communication  mechanism  in  the  sense  that  it  can 
be  used  to  pass  messages  between  any  two  different 
security  levels.  The  Pump  has  all  desirable  features 
(i.e. ,  reliability,  reasonable  performance,  garbage  col¬ 
lectibility,  recoverability,  and  practicality)  of  conven¬ 
tional  communication  mechanisms.  At  the  same  time, 
the  covert  channel  capacity  of  the  Pump  is  less  than  ^ 
times  that  of  the  conventional  communication  mecha¬ 
nisms  (by  comparing  Eq.  (1)  to  Eq.  (9)),  where  n  is 
the  buffer  size. 

The  result  that  is  presented  in  this  paper  is  the  worst 
case  channel  capacity.  Our  future  plans  are:  (1)  to 
tighten  the  bound  of  covert  channel  capacity,  and  (2) 
to  provide  the  covert  channel  capacity  as  a  function  of 
n  and  m  so  that  the  system  designer  can  choose  the 
values,  n  and  m,  according  to  his/her  security  require¬ 
ments. 
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